The U.S. Commerce Department added NSO Group and three other firms to the “entity list,” which limits their access to U.S. components and technology by requiring government permission for exports.
The department said putting these companies on the entity list was part of the Biden administration’s efforts to promote human rights in U.S. foreign policy.
NSO Group, the company behind the spy software known as Pegasus, has denied the allegations that Pegasus was used to carry out surveillance on journalists, activists – and even perhaps political leaders.
But high-end spy techniques, which used to be the exclusive preserve of a few states, are now spreading more widely and challenging the way we think about privacy and security in an online world.
“The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad,” said Secretary of Commerce Gina Raimondo.
The announcement was another blow to the NSO Group, which was the focus of reports by a media consortium earlier this year that found the company’s spyware tool Pegasus was used in several instances of successful or attempted phone hacks of business executives, human rights activists and others around the world.
Pegasus infiltrates phones to vacuum up personal and location data and surreptitiously controls the smartphone’s microphones and cameras. Researchers have found several examples of NSO Group tools using so-called “zero click” exploits that infect targeted mobile phones without any user interaction.
Tech giant Facebook is currently suing NSO Group in U.S. federal court for allegedly targeting some 1,400 users of its encrypted messaging service WhatsApp with highly sophisticated spyware.
A spokesman for the company did not immediately return a request for comment. NSO Group has hired prominent former U.S. officials and public relations firms to help bolster its image in recent years.
Stewart Baker, a cybersecurity lawyer and former general counsel at the National Security Agency, said it remains to be seen how big an impact Wednesday’s announcement will have on the NSO Group’s long-term health.
Baker said the Commerce Department will have significant discretion in how it handles licensing requests related to the NSO Group, and could face pressure from U.S. exporters and the Israeli government.
“We could see a situation in which the sanction has been granted and it has a great symbolic significance and some practical significance for NSO, but certainly isn’t a death penalty and may over time just be really aggravating,” said Baker.
Another Israeli spyware company, Candiru, was also added to the entity list. In July, Microsoft said it had blocked tools developed by Candiru that were used to spy on more than 100 people around the world, including politicians, human rights activists, journalists, academics and political dissidents.
A prominent Russian firm, Positive Technologies, and the Singapore-based Computer Security Initiative Consultancy were also placed on the list for trafficking in “cyber tools used to gain unauthorized access” to IT systems, the department said. The Treasury Department put sanctions on Positive Technology, which has a broad international footprint and partnerships with such IT heavyweights as Microsoft and IBM, earlier this year.
The Commerce Department’s Bureau of Industry and Security (BIS) has released a final rule adding four foreign companies to the Entity List for engaging in activities that are contrary to the national security or foreign policy interests of the United States. The four entities are located in Israel, Russia, and Singapore.
NSO Group and Candiru (Israel) were added to the Entity List based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers.
These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent. Such practices threaten the rules-based international order.
Transnational repression is defined as governments reaching across borders to silence dissent among diasporas and exiles, including through assassinations, illegal deportations, abductions, digital threats, Interpol abuse, and family intimidation.
Positive Technologies (Russia), and Computer Security Initiative Consultancy PTE. LTD. (Singapore) were added to the Entity List based on a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.
The End-User Review Committee (ERC) which is chaired by the Department of Commerce and includes the Departments of Defense, State, Energy, and where appropriate, Treasury, determined that the conduct of these four entities raises sufficient concerns to place them on the Entity List pursuant to § 744.11(b) of the Export Administration Regulations (EAR).
The Entity List is a tool utilized by BIS to restrict the export, reexport, and in-country transfer of items subject to the EAR to persons (individuals, organizations, companies) reasonably believed to be involved, have been involved, or pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.
For the four entities added to the Entity List in this final rule, BIS imposes a license requirement that applies to all items subject to the EAR. In addition, no license exceptions are available for exports, reexports, or transfers (in-country) to the entities being added to the Entity List in this rule. BIS imposes a license review policy of a presumption of denial for these entities.
Today’s action is a part of the Biden-Harris administration’s efforts to put human rights at the center of U.S. foreign policy, including by working to stem the proliferation of digital tools used for repression.
This effort is aimed at improving citizens’ digital security, combatting cyber threats, and mitigating unlawful surveillance and follows a recent interim final rule released by the Commerce Department establishing controls on the export, re-export, or in-country transfer of certain items that can be used for malicious cyber activities.